Merge pull request #197 from YunoHost/fix-not-only-alphanumeric-characters-domain-name

[fix] unauthorized redirect url check not matching non-alphanumeric chars in domain name
This commit is contained in:
Alexandre Aubin 2021-11-15 19:25:32 +01:00 committed by GitHub
commit 0ce337e17f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -1070,8 +1070,11 @@ function redirect(url)
if not string.starts(url, "/") and not string.starts(url, "http://") and not string.starts(url, "https://") then if not string.starts(url, "/") and not string.starts(url, "http://") and not string.starts(url, "https://") then
url = "https://"..url url = "https://"..url
end end
local domain = url:match("^https?://([%w%.]*)/?") local is_known_domain = false
if string.match(url, "(.*)\n") or (domain ~= nil and not is_in_table(conf["domains"], domain)) then for _, domain in ipairs(conf["domains"]) do
is_known_domain = is_known_domain or url:match("^https?://"..domain.."/?") ~= nil
end
if string.match(url, "(.*)\n") or not is_known_domain then
logger.debug("Unauthorized redirection to "..url) logger.debug("Unauthorized redirection to "..url)
flash("fail", t("redirection_error_invalid_url")) flash("fail", t("redirection_error_invalid_url"))
url = conf.portal_url url = conf.portal_url